Re: PostgreSQL with SSL
| От | Jose Berardo |
|---|---|
| Тема | Re: PostgreSQL with SSL |
| Дата | |
| Msg-id | h2m9009a4451004160815v9e244b70u3e3bb71c5d01a986@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: PostgreSQL with SSL (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-admin |
Hello, On Thu, Apr 15, 2010 at 6:30 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Jose Berardo <joseberardo@gmail.com> writes: >>>> - Is it possible to store the server.key in a ciphered file with > >>> No. > >> I believe that it may be a good idea, it may bring another security level, > > Not really. > >> Just saving the private key file inside the cluster with no privilegies for >> other users (the server suggests 0600 mask for it) is still sufficient to >> protected the key? > > If someone can access that file, they can also attach to the running > server process and pull the decrypted key out of it. In any case, > providing the server with the key to decrypt the ssl key is not going > to be convenient in operation. You're not going to want to store that > key on disk are you? Do you want somebody around to manually provide > it every time the server restarts? That gets old pretty fast, when > all it's buying you is a largely-imaginary security gain. > > regards, tom lane > Thanks Tom. Your few words were a very elucidative explanation. I thought that attacking the running server process was much more difficult than just open a file, and the needs of someone to provide the symmetric key which will open the private key was just a question of trade-off (security vs availability). -- Regards, Jose Berardo Especializa Treinamentos www.especializa.com.br +55 81 3465.0032
В списке pgsql-admin по дате отправления: